‘Prepare to Be Horrified,’ Researcher Writes About Arris-Made Routers
AT&T’s U-verse routers and gateways contain a bevy of internet-of-things coding errors that could be easily exploited by hackers, a researcher contends. As many as 235,000 hosts could be vulnerable.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Joseph Hutchins, of San Antonio, Texas-based security consultancy Nomotion, ran down the issues he found with firmware inside the NVGxxx-series series routers, which are made by Arris.
The vulnerabilities seemed “hard to believe” at first, Hutchins writes in a blog post.
“However, for those familiar with the technical history of Arris and their careless lingering of hardcoded accounts on their products, this report will sadly come as no surprise,” he writes. “For everyone else, prepare to be horrified.”
Arris acquired Motorola’s Home business line from Google in 2013. In a statement, Arris said, “We are currently verifying the specifics of the Nomotion security report. Until this is complete, we cannot comment on its details. We can confirm Arris is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices.”
AT&T officials did not have an immediate comment on Monday, a U.S. holiday.
There is increasing pressure on manufacturers of internet-of-things devices after poor coding and security practices have led to stunning attacks. In 2016, malicious code dubbed Mirai infected network-connected cameras and video recorders. The commandeered devices were then used for distributed denial-of-service attacks (see Mirai Malware Attacker Extradited From Germany to UK).
U.S. regulators have become more involved. In January, the Federal Trade Commission filed a complaint against router maker D-Link, alleging the company falsely marketed its routers as secure, violating fair trade law. D-Link disputes the accusation (see FTC vs. D-Link: A Warning to the IoT Industry).
Hutchins dug into the firmware of Arris’ NVG-xxx series routers. AT&T distributed the NVG589 and NVG599 models to its U-verse customers. But he also writes that other U-verse routers may have some of the same problems even though the manufacturers are different.
The latest firmware update for the NVG589 and NVG599, version 9.2.2h0d83, has SSH enabled. The firmware has hard-coded credentials that can be used to access cshell, a Unix shell client.
As configured, cshell has high privileges on these routers. An attacker using the default credentials can view or change the network password or change the router’s SSID, Hutchins writes.
The firmware could also be reflashed, Hutchins writes. There’s also an odd kernel module, which Hutchins writes “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”
A scan using Censys, which is a search engine for internet-connected devices, turned up 14,894 hosts that are likely vulnerable to the cshell issue. But, he adds, “there is no guarantee expressed or implied in terms of this number being all-inclusive.”
On the NVG599, he found an https server running with default credentials. This runs as root, and Hutchins says it would be possible to exploit the access and start a reverse shell. About 220,000 devices may be vulnerable to this issue, although precise statistics are difficult to generate because the service runs on an uncommon port, he writes.
Hutchins also found a vulnerable service running on port 61001. It is possible to exploit the service to return information about the device’s configuration, including Wi-Fi credentials and the MAC addresses of internal hosts. But the attacker would first need the serial number of the router.
Most of the AT&T routers are also vulnerable to a firewall bypass, which is accomplished by brute-forcing the MAC address. There are also other ways to obtain a MAC address, such as if the attacker knows the victims public IP address.
“What this basically means is that the only thing protecting an AT&T U-verse internal network device from the internet is whether or not an attacker knows or is able to brute-force the MAC address of any of its devices,” Hutchins writes. “Note however, that the first three bytes (six characters) of a MAC address are very predictable since they correspond to the manufacturer.”
Companies Not Notified First
Hutchins apparently did not notify either AT&T or Arris of the problems before publishing the blog post. Most researchers practice what is known as responsible disclosure, which means giving vendors time to fix issues before releasing the data publicly.
Hutchins did release some methods to mitigate the vulnerabilities until patches are released. But it’s probably safe to say most consumers will never hear of the issues, let alone see the ways to mitigate it.
It’s unclear whether Arris is responsible for the problems or if AT&T introduced the issues, Hutchins says. Nevertheless, he claims that AT&T bears the responsibility for the final quality check.
“Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users,” he writes. “This, sadly, is not currently the case.”